
<!doctype html>
<html lang="en-US">
  <head>
  <meta charset="utf-8">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="apple-touch-icon" sizes="180x180" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-180x180.png">
	<link rel="icon" type="image/png" sizes="32x32" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-32x32.png">
	<link rel="icon" type="image/png" sizes="16x16" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-16x16.png">
	<link rel="manifest" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/site.webmanifest">
	<link rel="mask-icon" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/safari-pinned-tab.svg" color="#000000">
	<meta name="msapplication-TileColor" content="#000000">
	<meta name="theme-color" content="#000">
        <script type="text/javascript">
var main_site_url = 'https://www.paloaltonetworks.com';
var maindomain_lang = 'https://www.paloaltonetworks.com';
function getParameterByName(name, url) {
		if(url == null){
		  url = window.location.href;
		}
	    name = name.replace(/[\[\]]/g, '\\$&');
	    var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),
		results = regex.exec(url);
	    if (!results) return null;
	    if (!results[2]) return '';
	    return decodeURIComponent(results[2].replace(/\+/g, ' '));
	}
	var container_q = getParameterByName('container');
	var d_lang = 'en';	
	if(container_q != '' && container_q != null){	    
	    sessionStorage.setItem('container',container_q);
	    	    location.href = 'https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet';
	}
</script>
<style type="text/css">
@font-face{font-family:'Merriweather';font-style:normal;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot');src:local('Merriweather Light'),local('Merriweather-Light'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot');src:local('Merriweather Light Italic'),local('Merriweather-LightItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot');src:local('Merriweather Regular'),local('Merriweather-Regular'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot');src:local('Merriweather Italic'),local('Merriweather-Italic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot');src:local('Merriweather Bold'),local('Merriweather-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot');src:local('Merriweather Bold Italic'),local('Merriweather-BoldItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.svg#Merriweather') format('svg')}


@font-face{font-family:'Decimal';font-style:normal;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro.otf') format('opentype')}    

.nav {
    display: flex;
    flex-wrap: wrap;
    padding-left: 0;
    margin-bottom: 0;
    list-style: none;
}
dl, ol, ul {
    margin-top: 0;
    margin-bottom: 1rem;
}
.nav-link {
    display: block;
    padding: .5rem 1rem;
}
.productNav2021Component .btn {
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
    font-weight: 600;
    color: #141414;
    text-align: center;
    vertical-align: middle;
    user-select: none;
    background-color: transparent;
    border: 2px solid transparent;
    border-radius: 50px;
    transition: box-shadow .15s ease-in-out;
}

.productNav2021Component .btn-primary{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background-color: #fa582d;
    color: #141414;
    position: relative;
}
.productNav2021Component .btn-primary.focus,.productNav2021Component  .btn-primary:focus{
    color: #141414;
    border-color: #00c0e8;
}
.productNav2021Component .btn-primary:hover, .productNav2021Component .btn-primary-outline:hover,  .productNav2021Component .btn-black:hover, .productNav2021Component .btn-white:hover {
    background-color: #fb7652;
}
.productNav2021Component .btn{
    height:auto;
}
.productNav2021Component .btn:hover {
    color: #141414;
    text-decoration: none;
    border-color: transparent;
}
.productNav2021Component .btn-dark,.productNav2021Component .btn-outline-dark{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background: 0;
    color: #fff;
    position: relative;
}
.productNav2021Component .btn-dark i, .productNav2021Component .btn-outline-dark i {
    width: 20px;
    height: 20px;
    margin-left: 15px;
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    background-size: contain;
    background-position: center;
    background-repeat: no-repeat;
    background-image: url('https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg');
}
.productNav2021Component .btn-dark:hover{
    color: #999;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active,.productNav2021Component .btn-dark:hover{
    background-color: transparent;
    border-color: transparent;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active:focus{
    box-shadow: none;
}
.productNav2021Component .display-2{
    font-family: Merriweather,Georgia,serif;
    font-weight: 400;
    color: #5f5f5f;
    font-size: 14px;
    line-height: 24px;
} 
.panClean .ar-1-1 img,.panClean .ar-4-3 img,.panClean .ar-3-2 img,.panClean .ar-3-4 img,.panClean .ar-12-17 img,.panClean .ar-16-7 img,.panClean .ar-16-9 img{
    position:absolute;
    width:100%;
    height:100%;
    object-fit:contain;
    font-family:'object-fit: contain;'
}
.panClean .ar-3-2{padding-bottom:66.6666667%}
.panClean .ar-1-1,.panClean .ar-4-3,.panClean .ar-3-2,.panClean .ar-3-4,.panClean .ar-12-17,.panClean .ar-16-7,.panClean .ar-16-9{display:inline-block;width:100%;height:0;overflow:hidden;position:relative;margin:0}
.panClean .ar-16-9{padding-bottom:52.25%}
.panClean .ar-3-4{padding-bottom:133.3333333%}
.productNav2021Component .container,.productNav2021Component .container-fluid,.productNav2021Component .container-sm,.productNav2021Component .container-md,.productNav2021Component .container-lg,.productNav2021Component .container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}

/** [Start] custom css, not copied from main site **/
.productNav2021Component a, button, input[type=reset], input[type=submit]{
    transition: none;
}
.panClean .productNav2021Component .prisma-2021-nav-main .btn.btn-primary {
    height: auto;
}
.pan-search-coveo-header .magic-box-clear{
    display: block!important;
}
.no-scroll{overflow:hidden !important}
/** [End] custom css, not copied from main site **/
@media (min-width: 576px){
.productNav2021Component .container-fluid {
    width: auto;
    margin-left: 7.14285714%;
    margin-right: 7.14285714%;
}
}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}
.productNav2021Component .btn-light,.productNav2021Component .btn-dark{padding-left:0;padding-right:0}
.productNav2021Component .btn-link{padding:5px 0}
.productNav2021Component .btn-lg,.productNav2021Component .btn-group-lg>.btn{padding:20px 40px;font-size:18px}
.productNav2021Component .btn-sm,.productNav2021Component .btn-group-sm>.btn{padding:10px 20px;font-size:14px}
}
@media(max-width:767.98px){.productNav2021Component .btn{padding:10px 20px;font-size:14px;line-height:18px;}}
@media(max-width:767.98px){
    .productNav2021Component .btn-dark{padding-left:0;padding-right:0}
}    
.wpp-meta {
    display: none !important;
}
</style>   
<link rel='stylesheet'  href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css' type='text/css' media='all' />
<!--<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc/clientlibs/clean/panClean/prisma/defered.min.css' media='all' />-->
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css' media='all' />
    <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />
<link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/" />
<link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/gobruteforcer-golang-botnet/" />
<link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/" />

	<!-- This site is optimized with the Yoast SEO Premium plugin v19.6 (Yoast SEO v19.13) - https://yoast.com/wordpress/plugins/seo/ -->
	<title>GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers</title>
	<meta name="description" content="New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility." />
	<link rel="canonical" href="https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers" />
	<meta property="og:description" content="New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility." />
	<meta property="og:url" content="https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/" />
	<meta property="og:site_name" content="Unit 42" />
	<meta property="article:published_time" content="2023-03-10T14:00:32+00:00" />
	<meta property="article:modified_time" content="2023-03-14T13:25:17+00:00" />
	<meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/Malware-r3d3.png" />
	<meta property="og:image:width" content="2001" />
	<meta property="og:image:height" content="1001" />
	<meta property="og:image:type" content="image/png" />
	<meta name="author" content="Siddharth Sharma, Yang Ji, Anmol Maurya, Dongrui Zeng" />
	<meta name="twitter:card" content="summary_large_image" />
	<!-- / Yoast SEO Premium plugin. -->


<link rel='dns-prefetch' href='//www.google.com' />
<link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers Comments Feed" href="https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/feed/" />
<script type="text/javascript">
var globalConfig = {};
globalConfig.buildName = "UniqueResourceAssetsID_DEC022022";
</script>
<meta property="og:likes" content="15"/>
<meta property="og:readtime" content="7"/>
<meta property="og:views" content="49,158"/>
<meta property="og:date_created" content="March 10, 2023 at 6:00 AM"/>
<meta property="og:post_length" content="1786"/>
<meta property="og:category" content="Malware"/>
<meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware-2/"/>
<meta property="og:author" content="Siddharth Sharma"/>
<meta property="og:author" content="Yang Ji"/>
<meta property="og:author" content="Anmol Maurya"/>
<meta property="og:author" content="Dongrui Zeng"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/yang-ji/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta name="post_tags" content="Advanced Threat Prevention,botnet,DNS,DNS security,GoBruteforcer,GoLang,web server,WildFire"/>
<meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/Malware-r3d3.png"/>
<script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers","name":"GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers","description":"New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility.","url":"https:\/\/unit42.paloaltonetworks.com\/gobruteforcer-golang-botnet\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/gobruteforcer-golang-botnet\/","datePublished":"March 10, 2023","articleBody":"Executive Summary\r\nUnit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The sample was originally captured from our Next-Generation Firewall. Upon further research, we found that the malware was hosted on a legitimate website.\r\n\r\nFurther investigation revealed that the attacker hosted binaries for x86, x64 and ARM processor architectures. We also discovered that GoBruteforcer had deployed an internet relay chat (IRC) bot on the victim server, which communicates with the attacker\u2019s server.\r\n\r\nThis blog details information collected based on a static overview of the GoBruteforcer attack chain components. For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords).\r\n\r\nPalo Alto Networks customers receive protections from malware families like GoBruteforcer and its malicious components with Cortex XDR or the Next-Generation Firewall with cloud-delivered security services including WildFire and Advanced Threat Prevention. Alongside this, Advanced URL Filtering and DNS Security can block the command and control (C2) domain and malware hosting URLs.\r\n\r\n\r\n\r\nRelated Unit 42 Topics\r\nGolang, Botnet, Web Server\r\n\r\n\r\n\r\nTable of Contents\r\nIntroduction\r\nScanning and System Access\r\nFor the phpMyAdmin Service\r\nIRC Bot Deployment\r\nFor MySQL and Postgres Services\r\nFor the FTP Service\r\nPostResult Module and Web Shell Connection\r\nGoBruteforcer Makes Advances\r\nConclusion\r\nIndicators of Compromise\r\nIntroduction\r\nGo programming language, also known as Golang, is a newer language that\u2019s becoming more popular with malware programmers. It has proven to be versatile enough to develop all kinds of malware, including ransomware, stealers or remote access trojans (RATs). Golang-based botnets in particular seem to be gaining the interest of threat actors.\r\n\r\nGoBruteforcer is a new kind of botnet malware that is written in Golang and targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services.\r\n\r\nGoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target.\r\n\r\nOnce a host is found, GoBruteforcer tries to get access to the server via brute force. After achieving access, GoBruteforcer deploys an IRC bot containing the attacker\u2019s URL.\r\n\r\nLater, GoBruteforcer also tries to query the victim system using a PHP web shell. We found that this web shell was already deployed onto the victim server. Figure 1 depicts this attack flow.\r\n\r\n[caption id=\"attachment_127250\" align=\"aligncenter\" width=\"600\"] Figure 1. GoBruteforcer attack chain.[\/caption]\r\n\r\nThe cache_init file highlighted in Figure 2 is the GoBruteforcer malware we found hosted in the \/.x\/ directory of the targeted server. The initial vector of the GoBruteforcer and the PHP web shell campaign is not known yet.\r\n\r\nWe have notified the victim about the malicious GoBruteforcer binaries hosted on their site.\r\n\r\n[caption id=\"attachment_127193\" align=\"aligncenter\" width=\"900\"] Figure 2. GoBruteforcer hosted on a victim server.[\/caption]\r\n\r\nThe GoBruteforcer malware hashes we found mainly targeted Unix-like (*nix) platforms, with versions for x86, x64 and ARM architectures. It seems likely that this is their OS of choice because *nix operating systems are a popular choice for hosting servers.\r\n\r\nWe believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future.\r\nScanning and System Access\r\nThe GoBruteforcer malware samples are packed with UPX Packer. Upon unpacking a sample (SHA256 ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84), we observed that GoBruteforcer has a multiscan module (shown in Figure 3) it uses to scan for the hosts inside a CIDR for its attack.\r\n\r\n[caption id=\"attachment_127195\" align=\"aligncenter\" width=\"900\"] Figure 3. GoBruteforcer multiscan function.[\/caption]\r\n\r\nOn the target IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP and Postgres services. The attacker has defined separate scanning modules against all the aforementioned services, as shown in Figure 4.\r\n\r\n[caption id=\"attachment_127197\" align=\"aligncenter\" width=\"600\"] Figure 4. Modules inside GoBruteforcer for scanning different services.[\/caption]\r\n\r\nInside the modules, the malware first checks if the port belonging to the service is open. For this, the port scan module (shown in Figure 5) is called inside every scanning module.\r\n\r\n[caption id=\"attachment_127199\" align=\"aligncenter\" width=\"510\"] Figure 5. Portscan function (present inside every scanning module).[\/caption]\r\nFor the phpMyAdmin Service\r\nWhen scanning for phpMyAdmin services, if the target port (port 80) is open, the GoBruteforcer malware tries to login and get access to the victim server via brute force. To do this, the malware uses a set of credentials that is hard coded into the malware binary, as shown in Figure 6.\r\n\r\n[caption id=\"attachment_127201\" align=\"aligncenter\" width=\"900\"] Figure 6. Hard-coded credentials for brute forcing.[\/caption]\r\nIRC Bot Deployment\r\nUpon successful login via phpMyAdmin service into the victim server, GoBruteforcer deploys and executes an IRC bot on the victim server. The files fb5 and ab5 are IRC bots compiled for x86_64 and ARM architectures respectively, as shown in Figures 7 and 8.\r\n\r\n[caption id=\"attachment_127203\" align=\"aligncenter\" width=\"900\"] Figure 7. GoBruteforcer deploying IRC bot for x86-supported platforms.[\/caption]\r\n\r\n[caption id=\"attachment_127205\" align=\"aligncenter\" width=\"900\"] Figure 8. GoBruteforcer deploying IRC bot for ARM-supported platforms.[\/caption]\r\n\r\nLater, the malware starts communication between the command and control channel (C2) and the victim server via the IRC bot, as shown in Figure 9.\r\n\r\n[caption id=\"attachment_127207\" align=\"aligncenter\" width=\"900\"] Figure 9. Victim and C2 communication via IRC bot.[\/caption]\r\n\r\nAdditionally, the IRC bot also registers itself inside cron for recurring execution.\r\n\r\n[caption id=\"attachment_127209\" align=\"aligncenter\" width=\"900\"] Figure 10. IRC registering itself in cron.[\/caption]\r\nFor MySQL and Postgres Services\r\nWhen scanning for MySQL and Postgres services, the GoBruteforcer malware first checks whether ports 3306 and 5432 are open. If the malware finds the ports open, then the malware tries to ping the host\u2019s database with a certain username and password. (Figures 11 and 12 show this activity, and you can also refer to the following post on the Golang Issues forum for more information).\r\n\r\nAfter that, the malware calls the PostResult module, which will be discussed in greater detail in the later section, PostResult Module and Web Shell Connection.\r\n\r\n[caption id=\"attachment_127211\" align=\"aligncenter\" width=\"900\"] Figure 11. MySql ping done by GoBruteforcer malware.[\/caption]\r\n\r\n[caption id=\"attachment_127213\" align=\"aligncenter\" width=\"900\"] Figure 12. Postgres ping done by GoBruteforcer malware.[\/caption]\r\nFor the FTP Service\r\nWhen scanning for FTP services, GoBruteforcer checks whether port 21 is open. If the malware finds it open, it tries to authenticate to the server (as shown in Figure 13) using the goftp library, which is an FTP client package for Golang.\r\n\r\n[caption id=\"attachment_127215\" align=\"aligncenter\" width=\"900\"] Figure 13. FTP login attempt.[\/caption]\r\n\r\nUpon successful authentication to the victim server, the malware calls the PostResult module.\r\nPostResult Module and Web Shell Connection\r\nInside GoBruteforcer's PostResult module, which is called after every service scanning module, we observed a hard coded link (query) as shown in Figure 14.\r\n\r\n[caption id=\"attachment_127217\" align=\"aligncenter\" width=\"900\"] Figure 14. Hard coded link found inside GoBruteforcer binary.[\/caption]\r\n\r\nOn further investigation into the directories within the victim IP address, we found a web shell named x, (http[:]\/\/victim-ip\/x) with SHA256 de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b. This web shell seemed similar to the pst.php PHP file (SHA256 602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665) associated with http[:]\/\/5.253.[.]84[.]159 (see Figure 15).\r\n\r\nThe PHP web shell had reverse shell and bind shell capabilities, as shown in Figure 15.\r\n\r\n[caption id=\"attachment_127219\" align=\"aligncenter\" width=\"900\"] Figure 15. Bind shell and reverse shell capabilities inside webshell.[\/caption]\r\n\r\nAlong with these capabilities, the web shell also has a packet crafter (shown in Figure 16) having the options for input like host, start, end port and timeouts for connection and the stream. This gives the attacker the ability to gain more insight into the targeted network.\r\n\r\n[caption id=\"attachment_127221\" align=\"aligncenter\" width=\"900\"] Figure 16. Simple packet crafter capabilities inside web shell.[\/caption]\r\n\r\nGoBruteforcer Makes Advances\r\nDuring our hunt for the samples related to GoBruteforcer campaign, we found another sample (SHA256 acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834). This is possibly an older version of the GoBruteforcer family that only targeted the phpMyAdmin service in order to infect web servers. The sample was uploaded on VirusTotal some months ago and had 0 detections, as shown in Figure 17.\r\n\r\n[caption id=\"attachment_127223\" align=\"aligncenter\" width=\"900\"] Figure 17. VirusTotal detection: older version of GoBruteforcer.[\/caption]\r\nConclusion\r\nWeb servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization. Malware like GoBruteforcer takes advantage of weak (or default) passwords.\r\n\r\nThe GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network. GoBruteforcer also seems to be in active development, so attackers could change the techniques they use to target web servers in the near future.\r\n\r\nPalo Alto Networks customers receive protections from malware families like GoBruteforcer and its malicious components with Cortex XDR or the Next-Generation Firewall with cloud-delivered security services including WildFire and Advanced Threat Prevention. Alongside this, Advanced URL Filtering and DNS Security can block the command and control (C2) domain and malware hosting URLs.\r\nIndicators of Compromise\r\nHashes\r\n\r\n\r\n\r\nde7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b\u00a0\r\nWeb shell\r\n\r\n\r\n602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665\r\nWeb shell\r\n\r\n\r\nacc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834\u00a0\r\nOlder version of GoBruteforcer\r\n\r\n\r\n426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218\u00a0\r\nIRC bot(x86)\r\n\r\n\r\n726ccd223a1cfb60fc6c3b48ea3dbf057da918efac5acf620cd026ee38fb0044\u00a0\r\nIRC bot(ARM)\r\n\r\n\r\n526767fbb26c911601371745d603885b75deabcc18261ed2d5a509d58f95d28e\r\nGoBruteforcer (x86_64)\r\n\r\n\r\ndd3555025957cd51cd048d920027a0ff2d5501bc85792529217d54086e9351c2\r\nGoBruteforcer (x86_64)\r\n\r\n\r\ndf7dc0fe7e90a2414ac188c55d06ad3882cfc7394869c9ffa549fb1ddb304919\r\nGoBruteforcer (x86_64)\r\n\r\n\r\nebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84\r\nGoBruteforcer (x86_64)\r\n\r\n\r\n5548935e7c6cf3b38240a0579cac36906e9883a1ec5e85335609e9e2062588c5\r\nGoBruteforcer ARM(64-bit)\r\n\r\n\r\n5627b138bc857081d2251edd7eb3b68cbd58dfff2f51b7cd34c893fffff2cfab\r\nGoBruteforcer ARM(64-bit)\r\n\r\n\r\n5c1d3fb43e9e35b835e62e05a7b97ed66ab132eab35bfc18ce543e8f58ccf5e2\r\nGoBruteforcer ARM(32-bit)\r\n\r\n\r\n7c27ac0daba19de227fcc467abfcdefa99426c768a3601b1b181e9741717665b\r\nGoBruteforcer (x86)\r\n\r\n\r\n\r\nURL and IP\r\n\r\n \t5.253[.]84[.]159\/x\r\n \tfi[.]warmachine[.]su\r\n\r\nUpdated March 14, 2023, at 6:20 a.m. PT to correct port numbers in Figure 1.\u00a0","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/03\/Malware-r3d3.png","width":150,"height":75},"author":[{"@type":"Person","name":"Siddharth Sharma"},{"@type":"Person","name":"Yang Ji"},{"@type":"Person","name":"Anmol Maurya"},{"@type":"Person","name":"Dongrui Zeng"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/dist/block-library/style.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='classic-theme-styles-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/classic-themes.min.css?ver=1' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel='stylesheet' id='dashicons-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/dashicons.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.3.12' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/css/frontend.min.css?ver=4.4.1' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-flatpickr-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.css?ver=4.4.1' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-select2-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-horizontal-list-0-css' href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wordpress-popular-posts-css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/css/wpp.css?ver=5.5.1' type='text/css' media='all' />
<link rel='stylesheet' id='unit42/css-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/styles/main.css?v2' type='text/css' media='all' />
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.1' id='jquery-core-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script type='text/javascript' id='crayon_js-js-extra'>
/* <![CDATA[ */
var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""};
var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta' id='crayon_js-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.js?ver=4.4.1' id='ppress-flatpickr-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.js?ver=4.4.1' id='ppress-select2-js'></script>
<script type='application/json' id='wpp-json'>
{"sampling_active":0,"sampling_rate":100,"ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts\/v1\/popular-posts","api_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts","ID":127183,"token":"93798b3420","lang":0,"debug":0}
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/js/wpp.min.js?ver=5.5.1' id='wpp-js-js'></script>
<script type='text/javascript' id='wpml-xdomain-data-js-extra'>
/* <![CDATA[ */
var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.5.14' id='wpml-xdomain-data-js'></script>
<link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/127183" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://unit42.paloaltonetworks.com/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 6.1.1" />
<link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=127183' />
<link rel="alternate" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fgobruteforcer-golang-botnet%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fgobruteforcer-golang-botnet%2F&#038;format=xml" />
<meta name="generator" content="WPML ver:4.5.14 stt:1,28;" />
<meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;} #wpdevart_lb_information_content{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;}
		#wpdevart_lb_information_content{
			width:100%;	
			padding-top:0px;
			padding-bottom:0px;
		}
		#wpdevart_info_counter_of_imgs{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_caption{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_title{
			    display: inline-block;
				padding-left:5px;
				padding-right:5px;
				font-size:15px;
				color:#000000;
		}
		@-webkit-keyframes rotate {
			to   {-webkit-transform: rotate(360deg);}
			from  {-webkit-transform: rotate(0deg);}
		}
		@keyframes rotate {
			to   {transform: rotate(360deg);}
			from  {transform: rotate(0deg);}
		}
		#wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{
			-webkit-animation: rotate 2s linear  infinite;
    		animation: rotate 2s linear infinite;
		}
	  </style>                  <style id="wpp-loading-animation-styles">@-webkit-keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}@keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}.wpp-widget-placeholder,.wpp-widget-block-placeholder{margin:0 auto;width:60px;height:3px;background:#dd3737;background:linear-gradient(90deg,#dd3737 0%,#571313 10%,#dd3737 100%);background-size:200% auto;border-radius:3px;-webkit-animation:bgslide 1s infinite linear;animation:bgslide 1s infinite linear}</style>
              <script>var $ = jQuery;</script>
  
  
<script type="text/javascript">
;(function(win, doc, style, timeout) {
var STYLE_ID = 'at-body-style';
function getParent() {
return doc.getElementsByTagName('head')[0];
}
function addStyle(parent, id, def) {
if (!parent) {
return;
}
var style = doc.createElement('style');
style.id = id;
style.innerHTML = def;
parent.appendChild(style);
}
function removeStyle(parent, id) {
if (!parent) {
return;
}
var style = doc.getElementById(id);
if (!style) {
return;
}
parent.removeChild(style);
}
addStyle(getParent(), STYLE_ID, style);
setTimeout(function() {
removeStyle(getParent(), STYLE_ID);
}, timeout);
}(window, document, "body {visibility:hidden !important}", 3000));
</script>

<script src="//assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script>
<script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script>
  

<script type="text/javascript">
    var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./);
if(isIE11){
    var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/polyfill.min.js';
    document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>');

}
    /**
 * String.prototype.replaceAll() polyfill
 * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/
 * @author Chris Ferdinandi
 * @license MIT
 */
if (!String.prototype.replaceAll) {
	String.prototype.replaceAll = function(str, newStr){

		// If a regex pattern
		if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') {
			return this.replace(str, newStr);
		}

		// If a string
		return this.replace(new RegExp(str, 'g'), newStr);

	};
}


    /*! lozad.js - v1.16.0 - 2020-09-06 */
!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict";
/**
   * Detect IE browser
   * @const {boolean}
   * @private
   */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x
u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}});

</script>
<script type="text/javascript">
var webData =

{ 

   channel : "unit42", //Place the site section the user is in

   property : "unit42.paloaltonetworks.com", //Place domain or sub-domain

   pageType : "blogs",

   language : "en_us",

   pageName : "unit42:GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers", //Place the page name the user is viewing - every page needs a unique page name

   pageURL : "https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/" //Place the url the user is viewing with no parameters

}
webData.resourceAssetID = "546eb83e436f3f876d1092d69496b7b2";
if(sessionStorage.getItem("container") && webData){
	webData.container=sessionStorage.getItem("container");
}

</script>
</head>
  <body class="post-template-default single single-post postid-127183 single-format-standard">
    <!--[if IE]>
      <div class="alert alert-warning">
        You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.      </div>
    <![endif]-->
    <style type="text/css">
	.pan-page-alert {
		height: 60px;
	    width: 100%;
	    background-color: #f4f4f2;
	    text-align: center;
	    position: relative;
	    top: 0;
	    left: 0;
	    right: 0;
	    line-height: 20px;
	    display: flex;
	    align-items: center;
	    justify-content: space-between;
	    z-index: 999;
	    padding: 0;
	    display: none;
	}
	.pan-page-alert.open {
		display: flex;
		z-index: 1;
	}
	.pan-page-alert .pan-page-alert-text {
		flex-grow: 1;
	    color: #141414;
	    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
	    font-style: normal;
	    font-weight: 600;
	    line-height: 20px;
	}
	.pan-page-alert .pan-page-alert-text a {
		color: #bd4122;
		text-decoration: none;
		border-bottom: 2px solid #bd4122;
	}
	.pan-page-alert .pan-page-alert-close {
		margin: 0 15px;
		width: 24px;
		height: 24px;
		border-radius: 24px;
		background-size: contain;
		background-repeat: no-repeat;
		background-position: center;
		/**background-image: url(https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg);
		 * */
		border: 0;
		background-color: transparent;
	}
	
	@media(max-width: 1199.98px){
		.panClean .pan-page-alert .pan-page-alert-text {
			text-align: left;
			padding-left: calc(7.14285714vw + 15px);
		}
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 14px;
	    }
	}
	.productNav2021Component .btn-light i, .productNav2021Component .btn-outline-light i {
	    width: 20px;
	    height: 20px;
	    margin-left: 15px;
	    flex-grow: 0;
	    flex-shrink: 0;
	    display: inline-block;
	    background-size: contain;
	    background-position: center;
	    background-repeat: no-repeat;
	    background-image: url(https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg);
	}
	.productNav2021Component .btn-light, .productNav2021Component .btn-outline-light {
	    display: inline-flex;
	    align-items: center;
	    text-decoration: none;
	    max-width: 100%;
	    text-align: left;
	    background: 0;
	    color: #141414;
	    position: relative;
	}
	.productNav2021Component .btn-light:hover, .productNav2021Component .btn-outline-light:hover {
	    color: #7a7a7a;
	}
	.productNav2021Component .btn{
	   white-space: normal; 
	}
	.productNav2021Component .btn-light:hover i, .productNav2021Component .btn-outline-light:hover i{
	    opacity: .6;
	}
	@media(min-width: 1200px){
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 16px;
	    }
	}
</style>

	<!--<div class="pan-page-alert pan-page-alert-light" id="info-alert-top1">
                <div class="pan-page-alert-text"><a href="https://www.paloaltonetworks.com/russia-ukraine-cyber-resources" target="_blank" style="color:#bd4122;border-color:#bd4122;" data-page-track="true" data-page-track-value="russiaukrainerapidresponse:unit42site:topnav:ticker">Protect Against Russia-Ukraine Cyber Activity</a></div>
		<button type="button" class="pan-page-alert-close" aria-label="page alert close">
            <svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg">
              <path d="M1 1L6 6M6 6L11 1M6 6L1 11M6 6L11 11" stroke="#727272" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
            </svg>
          </button>
    </div>
    <script type="text/javascript">
        
        //Hide/Show top ribbon
          if(localStorage.getItem('top_ribbon_closed') == null){
            document.getElementById('info-alert-top1').classList.add("open");            
          }
          
          $(".pan-page-alert-close").click(function(){
            $("#nav-mobile").css("top", "72px");
          });
          
        $(".pan-page-alert-close").click(function(){
        		$( "#nav-mobile" ).addClass( "add-nav-height" );
  		});
  
          $(document).on('click', '.pan-page-alert .pan-page-alert-close', function (ev) {            
		document.getElementById('info-alert-top1').classList.remove("open");            
		localStorage.setItem('top_ribbon_closed', "yes");
	});
          
    </script>-->
<header class="haeder py-15 position-relative z-index-2" style="display: none;">
  <div class="container px-sm-30 px-35">
    <div class="row">
      <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1">
                  <a href="https://www.paloaltonetworks.com/">
<!--<img src="/wp-content/uploads/2019/07/paloaltonetwork.svg" class="attachment-full size-full" alt="" height="43" width="124" />-->
<img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" />

</a>

      </div>

      <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit">
        <a href="https://unit42.paloaltonetworks.com/">
            <!--<img src="/wp-content/uploads/2019/07/unit42.svg" class="attachment-full size-full" alt="" height="35" width="105" />-->
            <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/images/svg/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo"  width="150" height="35"/>
        </a>
      </div>

      <div class="col-auto d-sm-none ml-auto mb-40 order-2">
        <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button>
      </div>

      <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3">
        <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30">
                      <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search">
                  </div>
      </div>

      <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5">
        <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button>
      </div>
    </div>
  </div>
</header>

<nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10"  style="display: none!important;">
  <div class="container px-sm-30">
    <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li>
<li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li>
<li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li>
<li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li>
<li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li>
</ul>  </div>
</nav>
<div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;">
    <div class="cleanHeader mainNavigationComp baseComponent parbase">
        <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"></div>

  </div>
<div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none  "></div>
</div>


</div>
<script type="text/javascript">
	function getCookie(cname) {
	 	var name = cname + "=";
  		var decodedCookie = decodeURIComponent(document.cookie);
		var ca = decodedCookie.split(';');
  		for(var i = 0; i <ca.length; i++) {
    			var c = ca[i];
    			while (c.charAt(0) == ' ') {
     				 c = c.substring(1);
    			}
    			if (c.indexOf(name) == 0) {
    				 return c.substring(name.length, c.length);
    			}
  		}
  		return "";
	}

	var referer = "";//sessionStorage.container;
	var pcontainer = sessionStorage.getItem("container");
	var searchResultsPagePath = "";
	/**
	if(document.location.host==='unit42.paloaltonetworks.com'){
		window.initialContainer = "Unit";
		window.supportedContainer = ["Prisma","Sase","Cortex","Unit"];
	}
	**/
	
	
	if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){
	    referer = 'Prisma' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){
	    referer = 'Cortex' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){
	    referer = 'Sase' ;
	}
	else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){
	    referer = 'Unit' ;
	}
	else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){
	    referer = 'Ngfw' ;
	}
        var fromRef = document.referrer;
	var nContainer = getCookie("navContainer");
        if(nContainer){//If user is coming from main site, we need to reset the container		
		if(fromRef  && fromRef.indexOf("prismacloud.io")!=-1){
                        referer = 'Prisma' ;
                        sessionStorage.setItem("container","Prisma");
                } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){
                        if(nContainer.indexOf('Prisma') != -1){
                            referer = 'Prisma' ;
                            sessionStorage.setItem("container","Prisma");
                        }
                        if(nContainer.indexOf('Cortex') != -1){
                            referer = 'Cortex' ;
                            sessionStorage.setItem("container","Cortex");
                        }
			if(nContainer.indexOf('Sase') != -1){
                            referer = 'Sase' ;
                            sessionStorage.setItem("container","Sase");
                        }
			if(nContainer.indexOf('Unit') != -1){
                            referer = 'Unit' ;
                            sessionStorage.setItem("container","Unit");
                        }
			if(nContainer.indexOf('Ngfw') != -1){
                            referer = 'Ngfw' ;
                            sessionStorage.setItem("container","Ngfw");
                        }
			document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString();
		}
	}
    //var referer = "Prisma";//sessionStorage.container;
        console.log("referer"+referer);
        if(referer != "Prisma" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw"){
	    		referer = 'Unit' ;
                sessionStorage.setItem("container","Unit");  		    
	  
        }
function callMainSitePrismaNavHTML(){
    
   //var menu_url = 'https://www.paloaltonetworks.com/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
   var referrer_domain = 'https://www.paloaltonetworks.com';
   sessionStorage.setItem("domain",referrer_domain);
   if(referer == 'Prisma'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
		searchResultsPagePath = referrer_domain+"/search/prismasearch";
	    }
    if(referer == 'Cortex'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html';	
	searchResultsPagePath = referrer_domain+"/search/cortexsearch";	
    }
    if(referer == 'Sase'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html';
	searchResultsPagePath = referrer_domain+"/search/sasesearch";
    }
    if(referer == 'Unit'){
        //var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderUnit.unitRenderer.html';
	var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/unit-nav-renderer.php';
	searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search";
    }
    if(referer == 'Ngfw'){
        //var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderNgfw.ngfwRenderer.html';
	var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/ngfw-cdss-nav-renderer.php';
	searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch";
    }
    httpGet(menu_url,'menu_html');
    document.getElementById('main-nav-menu-cont').removeAttribute("style");
}
function addStyle(styles) {
              
    /* Create style document */
    var css = document.createElement('style');
    css.type = 'text/css';

    if (css.styleSheet) 
        css.styleSheet.cssText = styles;
    else 
        css.appendChild(document.createTextNode(styles));

    /* Append style to the tag name */
    document.getElementsByTagName("head")[0].appendChild(css);
}
    function httpGet(theUrl,req_type)
    {
        if (window.XMLHttpRequest)
        {// code for IE7+, Firefox, Chrome, Opera, Safari
            xmlhttp=new XMLHttpRequest();
        }
        else
        {// code for IE6, IE5
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
        xmlhttp.onreadystatechange=function()
        {
            if (xmlhttp.readyState==4 && xmlhttp.status==200)
            {
                //console.log();
                //return xmlhttp.responseText;
                
                if(req_type == 'menu_html'){
		    var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', '');

                    nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/');
		    nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content");
		                        
                    document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/');
		    
		    var lozad_back = document.getElementsByClassName('lozad-background');
		    Array.prototype.forEach.call(lozad_back, function(el) {
			// Do stuff here
			var el_back_img_path = el.getAttribute('data-background-image');
			var first_pos = el_back_img_path.indexOf("'");
			var last_pos = el_back_img_path.indexOf("'",first_pos+1);
			el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos);
			el.setAttribute("data-background-image",main_site_url+el_back_img_path);
		    });
                }
                if(req_type == 'head_inline_css'){
                    addStyle(xmlhttp.responseText);
                }
                //document.getElementsByTagName("header")[1].removeAttribute("style");
                //document.getElementsByTagName("header")[1].classList.add("light");
            }
        }
        xmlhttp.open("GET", theUrl, false );
        xmlhttp.send();    
    }    
    
    if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){
        const article = document.querySelector('#PAN_2021_NAV_ASYNC');
        if(referer == 'Prisma'){
            article.dataset.type = 'prisma';
	    $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned');
        }
        else if(referer == 'Cortex'){
            article.dataset.type = 'cortex';
        }
        else if(referer == 'Sase'){
            article.dataset.type = 'sase';
        }
	else if(referer == 'Unit'){
            article.dataset.type = 'unit';
        }
	else if(referer == 'Ngfw'){
            article.dataset.type = 'ngfw';
        }
	//set class to default
	if(referer == 'Unit' || referer == 'Ngfw'){
	   
	   $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned');
	}
        callMainSitePrismaNavHTML();        
    }
</script>


  <article class="article overflow-hidden">
    
<header class="article__header py-sm-25 pt-40 pb-25 bg-gray-700">
  <div class="container">
    
    <h1 class="article__header__title mb-sm-30 mb-40">GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers</h1>

    <ul class="article__entry-meta d-flex flex-wrap align-items-center text-black">
      <li class="mr-10 mb-10 px-20 rounded-pill d-flex bg-gray-200"><div class="post-views content-post post-127183 entry-meta">
				<span class="post-views-count">49,158</span>
			</div> <span class="ml-5">people reacted</span></li>
      <li class="d-sm-none col-12 p-0"></li>
      <li class="mr-10 mb-10 px-20 rounded-pill bg-gray-200"><span class="ldc-ul_cont idc_ul_cont_not_liked_inner" onclick="alter_ul_post_values(this,'127183','like')"><i class="ui ui-2"></i><span class="ml-5">15</span></span></li>
      <li class="mb-10 px-20 rounded-pill bg-gray-200"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix"></span></span> min. read</li>
    </ul>

    <div class="article__share position-relative">
      <div class="dropdown dropdown-right">
        <button type="button" class="px-25 text-black bg-white text-uppercase rounded-pill" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Share <i class="ui ui-6 ml-10 align-text-top"></i>
        </button>
        <div class="dropdown-menu rounded-pill" role="toolbar">
          <div class="share-dropdown px-20 py-10 text-black font-size-sm">
            <div class="row align-items-center flex-nowrap">
              <div class="col">
                <div class="d-flex align-items-center">
                  <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fgobruteforcer-golang-botnet%2F" target="_blank" aria-label="facebbok"><i class="ui ui-7"></i></a>
                  <a href="https://twitter.com/home?status=https%3A%2F%2Funit42.paloaltonetworks.com%2Fgobruteforcer-golang-botnet%2F+-+GoBruteforcer%3A+Golang-Based+Botnet+Actively+Harvests+Web+Servers" target="_blank" aria-label="twitter"><i class="ui ui-8"></i></a>
                  <a href="https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fgobruteforcer-golang-botnet%2F&title=GoBruteforcer%3A+Golang-Based+Botnet+Actively+Harvests+Web+Servers&summary=&source=" target="_blank" aria-label="linkedin"><i class="ui ui-9"></i></a>
                  <a href="//www.reddit.com/submit?url=https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/" target="_blank" aria-label="reddit"><i class="ui ui-10"></i></a>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div>
</header>    <div class="article__summary py-25 text-gray-500 font-size-sm">
  <div class="container">
    <div class="row align-items-center no-gutters">
      <div class="col-sm-auto col-12 mb-sm-0 mb-35">
        <i class="ui ui-11 text-gray-700 mr-sm-20"></i>
      </div>
  
      <div class="col-sm col-12">
        <p>
          By <a href="https://unit42.paloaltonetworks.com/author/siddharth-sharma/" title="Posts by Siddharth Sharma" class="author url fn" rel="author">Siddharth Sharma</a>, <a href="https://unit42.paloaltonetworks.com/author/yang-ji/" title="Posts by Yang Ji" class="author url fn" rel="author">Yang Ji</a>, <a href="https://unit42.paloaltonetworks.com/author/anmol-maurya/" title="Posts by Anmol Maurya" class="author url fn" rel="author">Anmol Maurya</a> and <a href="https://unit42.paloaltonetworks.com/author/dongrui-zeng/" title="Posts by Dongrui Zeng" class="author url fn" rel="author">Dongrui Zeng</a>        </p>
        <p><time datetime="2023-03-10T14:00:32+00:00">March 10, 2023 at 6:00 AM</time></p>
        <p>Category: <a href="https://unit42.paloaltonetworks.com/category/malware-2/" rel="category tag">Malware</a></p>
        <p>Tags: <a href="https://unit42.paloaltonetworks.com/tag/advanced-threat-prevention/" rel="tag">Advanced Threat Prevention</a>, <a href="https://unit42.paloaltonetworks.com/tag/botnet/" rel="tag">botnet</a>, <a href="https://unit42.paloaltonetworks.com/tag/dns/" rel="tag">DNS</a>, <a href="https://unit42.paloaltonetworks.com/tag/dns-security/" rel="tag">DNS security</a>, <a href="https://unit42.paloaltonetworks.com/tag/gobruteforcer/" rel="tag">GoBruteforcer</a>, <a href="https://unit42.paloaltonetworks.com/tag/golang/" rel="tag">GoLang</a>, <a href="https://unit42.paloaltonetworks.com/tag/web-server/" rel="tag">web server</a>, <a href="https://unit42.paloaltonetworks.com/tag/wildfire/" rel="tag">WildFire</a></p>
      </div>
    </div>
  </div>
</div>    <div class="py-30 bg-white">
      <div class="container">
        <div class="article__content pb-30">
                      <figure class="mb-30 text-center">
              <img width="900" height="450" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/Malware-r3d3.png" class="attachment-single size-single" alt="Malware conceptual image, covering variants such as GoBruter" decoding="async" loading="lazy" />            </figure>
                    <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: 
    <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/gobruteforcer-golang-botnet/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2><a id="post-127183-_5nxj0sk6i21v"></a>Executive Summary</h2>
<p>Unit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The sample was originally captured from our Next-Generation Firewall. Upon further research, we found that the malware was hosted on a legitimate website.</p>
<p>Further investigation revealed that the attacker hosted binaries for x86, x64 and ARM processor architectures. We also discovered that GoBruteforcer had deployed an internet relay chat (IRC) bot on the victim server, which communicates with the attacker’s server.</p>
<p>This blog details information collected based on a static overview of the GoBruteforcer attack chain components. For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords).</p>
<p>Palo Alto Networks customers receive protections from malware families like GoBruteforcer and its malicious components with <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" target="_blank" rel="noopener">Cortex XDR</a> or the <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" target="_blank" rel="noopener">Next-Generation Firewall</a> with <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" target="_blank" rel="noopener">cloud-delivered security services</a> including <a href="https://www.paloaltonetworks.com/network-security/wildfire" target="_blank" rel="noopener">WildFire</a> and <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target="_blank" rel="noopener">Advanced Threat Prevention</a>. Alongside this, <a href="https://www.paloaltonetworks.com/network-security/advanced-url-filtering" target="_blank" rel="noopener">Advanced URL Filtering</a> and <a href="https://www.paloaltonetworks.com/network-security/dns-security" target="_blank" rel="noopener">DNS Security</a> can block the command and control (C2) domain and malware hosting URLs.</p>
<table style="width: 100%;">
<thead>
<tr>
<td style="width: 35%;"><b>Related Unit 42 Topics</b></td>
<td style="width: 100%;"><a href="https://unit42.paloaltonetworks.com/tag/golang/" target="_blank" rel="noopener"><strong>Golang</strong></a>, <a href="https://unit42.paloaltonetworks.com/tag/botnet/" target="_blank" rel="noopener"><b>Botnet</b></a>, <strong><a href="https://unit42.paloaltonetworks.com/tag/web-server/" target="_blank" rel="noopener">Web Server</a></strong></td>
</tr>
</thead>
</table>
<h2><a id="post-127183-_q0br26g2uuco"></a>Table of Contents</h2>
<p><a href="#post-127183-_5or9ju4hxyj5">Introduction</a><br />
<a href="#post-127183-_o32q9jh2lwfs">Scanning and System Access</a><br />
<a href="#post-127183-_ygwsx8no7959">For the phpMyAdmin Service</a><br />
<a href="#post-127183-_a53wofwv3316">IRC Bot Deployment</a><br />
<a href="#post-127183-_wyx8yxloo0uv">For MySQL and Postgres Services</a><br />
<a href="#post-127183-_a4hqldfv8bdx">For the FTP Service</a><br />
<a href="#post-127183-_a9xhryoj86sx">PostResult Module and Web Shell Connection</a><br />
<a href="#post-127183-_bggryhxlh5wi">GoBruteforcer Makes Advances</a><br />
<a href="#post-127183-_cdtc9j3kv7x3">Conclusion</a><br />
<a href="#post-127183-_ez9vec5q9zky">Indicators of Compromise</a></p>
<h2><a id="post-127183-_5or9ju4hxyj5"></a>Introduction</h2>
<p>Go programming language, also known as Golang, is a newer language that’s becoming more popular with malware programmers. It has proven to be versatile enough to develop all kinds of malware, including ransomware, stealers or remote access trojans (RATs). Golang-based botnets in particular seem to be gaining the interest of threat actors.</p>
<p>GoBruteforcer is a new kind of botnet malware that is written in Golang and targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services.</p>
<p>GoBruteforcer chose a Classless Inter-Domain Routing (<a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#:~:text=CIDR%20is%20also%20used%20for,of%20bits%20in%20the%20address." target="_blank" rel="noopener">CIDR</a>) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target.</p>
<p>Once a host is found, GoBruteforcer tries to get access to the server via brute force. After achieving access, GoBruteforcer deploys an IRC bot containing the attacker’s URL.</p>
<p>Later, GoBruteforcer also tries to query the victim system using a PHP web shell. We found that this web shell was already deployed onto the victim server. Figure 1 depicts this attack flow.</p>
<figure id="attachment_127250" aria-describedby="caption-attachment-127250" style="width: 600px" class="wp-caption aligncenter"><img decoding="async" class="wp-image-127250" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/Gobruteforcer-F1-1-3.png" alt="Image 1 is a tree diagram showing the GoBruteforcer attack chain, starting with a port scan." width="600" height="733" /><figcaption id="caption-attachment-127250" class="wp-caption-text">Figure 1. GoBruteforcer attack chain.</figcaption></figure>
<p>The <span style="font-family: 'courier new', courier, monospace;">cache_init</span> file highlighted in Figure 2 is the GoBruteforcer malware we found hosted in the <span style="font-family: 'courier new', courier, monospace;">/.x/</span> directory of the targeted server. The initial vector of the GoBruteforcer and the PHP web shell campaign is not known yet.</p>
<p>We have notified the victim about the malicious GoBruteforcer binaries hosted on their site.</p>
<figure id="attachment_127193" aria-describedby="caption-attachment-127193" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127193" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-2.png" alt="Image 2 is three screenshots side by side of web indexes that are hosting GoBruteforcer binaries on their websites. Highlighted is the cache_init file in the index of each under the Parent Directory. " width="900" height="163" /><figcaption id="caption-attachment-127193" class="wp-caption-text">Figure 2. GoBruteforcer hosted on a victim server.</figcaption></figure>
<p>The GoBruteforcer malware hashes we found mainly targeted Unix-like (*nix) platforms, with versions for x86, x64 and ARM architectures. It seems likely that this is their OS of choice because *nix operating systems are a popular choice for hosting servers.</p>
<p>We believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future.</p>
<h2><a id="post-127183-_o32q9jh2lwfs"></a>Scanning and System Access</h2>
<p>The GoBruteforcer malware samples are packed with <a href="https://github.com/upx/upx" target="_blank" rel="noopener">UPX</a> Packer. Upon unpacking a sample (SHA256 <span style="font-family: 'courier new', courier, monospace;">ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84</span>), we observed that GoBruteforcer has a multiscan module (shown in Figure 3) it uses to scan for the hosts inside a CIDR for its attack.</p>
<figure id="attachment_127195" aria-describedby="caption-attachment-127195" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127195" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-3.png" alt="Image 3 is a screenshot of GoBruteforcer’s multi scan module. " width="900" height="403" /><figcaption id="caption-attachment-127195" class="wp-caption-text">Figure 3. GoBruteforcer multiscan function.</figcaption></figure>
<p>On the target IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP and Postgres services. The attacker has defined separate scanning modules against all the aforementioned services, as shown in Figure 4.</p>
<figure id="attachment_127197" aria-describedby="caption-attachment-127197" style="width: 600px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127197" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-4.png" alt="Image 4 is a screenshot of modules in GoBruteforcer scanning different services, such as MySQL and Postgres." width="600" height="662" /><figcaption id="caption-attachment-127197" class="wp-caption-text">Figure 4. Modules inside GoBruteforcer for scanning different services.</figcaption></figure>
<p>Inside the modules, the malware first checks if the port belonging to the service is open. For this, the port scan module (shown in Figure 5) is called inside every scanning module.</p>
<figure id="attachment_127199" aria-describedby="caption-attachment-127199" style="width: 510px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127199" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-5.png" alt="Image 5 is a screenshot that takes a closer look at GoBruteforcer’s port scan module. " width="510" height="335" /><figcaption id="caption-attachment-127199" class="wp-caption-text">Figure 5. Portscan function (present inside every scanning module).</figcaption></figure>
<h3><a id="post-127183-_ygwsx8no7959"></a>For the phpMyAdmin Service</h3>
<p>When scanning for phpMyAdmin services, if the target port (port 80) is open, the GoBruteforcer malware tries to login and get access to the victim server via brute force. To do this, the malware uses a set of credentials that is hard coded into the malware binary, as shown in Figure 6.</p>
<figure id="attachment_127201" aria-describedby="caption-attachment-127201" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127201" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-6.png" alt="Image 6 is a screenshot of many lines of code, the malware binary, showing the hard coded credentials. " width="900" height="177" /><figcaption id="caption-attachment-127201" class="wp-caption-text">Figure 6. Hard-coded credentials for brute forcing.</figcaption></figure>
<h4><a id="post-127183-_a53wofwv3316"></a>IRC Bot Deployment</h4>
<p>Upon successful login via phpMyAdmin service into the victim server, GoBruteforcer deploys and executes an IRC bot on the victim server. The files <span style="font-family: 'courier new', courier, monospace;">fb5</span> and <span style="font-family: 'courier new', courier, monospace;">ab5</span> are IRC bots compiled for x86_64 and ARM architectures respectively, as shown in Figures 7 and 8.</p>
<figure id="attachment_127203" aria-describedby="caption-attachment-127203" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127203" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-7.png" alt="Image 7 is a screenshot showing how GoBruteforcer deploys an IRC bot for x86-supported platforms, highlighted in red." width="900" height="299" /><figcaption id="caption-attachment-127203" class="wp-caption-text">Figure 7. GoBruteforcer deploying IRC bot for x86-supported platforms.</figcaption></figure>
<figure id="attachment_127205" aria-describedby="caption-attachment-127205" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127205" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-8.png" alt="Image 8 is a screenshot showing how GoBruteforcer deploys an IRC bot for ARM-supported platforms, highlighted in red." width="900" height="303" /><figcaption id="caption-attachment-127205" class="wp-caption-text">Figure 8. GoBruteforcer deploying IRC bot for ARM-supported platforms.</figcaption></figure>
<p>Later, the malware starts communication between the command and control channel (C2) and the victim server via the IRC bot, as shown in Figure 9.</p>
<figure id="attachment_127207" aria-describedby="caption-attachment-127207" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127207" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-9.png" alt="Image 9 is a screenshot of Wireshark showing the victim and C2 communication via an IRC bot. " width="900" height="400" /><figcaption id="caption-attachment-127207" class="wp-caption-text">Figure 9. Victim and C2 communication via IRC bot.</figcaption></figure>
<p>Additionally, the IRC bot also registers itself inside cron for recurring execution.</p>
<figure id="attachment_127209" aria-describedby="caption-attachment-127209" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127209" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-10.png" alt="Image 10 is a screenshot of a few lines of code showing, with yellow highlighting, how the IRC bot registers itself in cron. " width="900" height="69" /><figcaption id="caption-attachment-127209" class="wp-caption-text">Figure 10. IRC registering itself in cron.</figcaption></figure>
<h3><a id="post-127183-_wyx8yxloo0uv"></a>For MySQL and Postgres Services</h3>
<p>When scanning for MySQL and Postgres services, the GoBruteforcer malware first checks whether ports 3306 and 5432 are open. If the malware finds the ports open, then the malware tries to ping the host’s database with a certain username and password. (Figures 11 and 12 show this activity, and you can also refer to the following <a href="https://github.com/golang/go/issues/27476" target="_blank" rel="noopener">post on the Golang Issues forum</a> for more information).</p>
<p>After that, the malware calls the <span style="font-family: 'courier new', courier, monospace;">PostResult</span> module, which will be discussed in greater detail in the later section, <a href="#post-127183-_a9xhryoj86sx">PostResult Module and Web Shell Connection</a>.</p>
<figure id="attachment_127211" aria-describedby="caption-attachment-127211" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127211" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-11.png" alt="Image 11 is a screenshot highlighting GoBruteforcer’s MySql ping. " width="900" height="222" /><figcaption id="caption-attachment-127211" class="wp-caption-text">Figure 11. MySql ping done by GoBruteforcer malware.</figcaption></figure>
<figure id="attachment_127213" aria-describedby="caption-attachment-127213" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127213" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-12.png" alt="Image 12 is a screenshot highlighting GoBruteforcer’s Postgres ping. " width="900" height="248" /><figcaption id="caption-attachment-127213" class="wp-caption-text">Figure 12. Postgres ping done by GoBruteforcer malware.</figcaption></figure>
<h3><a id="post-127183-_a4hqldfv8bdx"></a>For the FTP Service</h3>
<p>When scanning for FTP services, GoBruteforcer checks whether port 21 is open. If the malware finds it open, it tries to authenticate to the server (as shown in Figure 13) using <a href="https://github.com/jlaffaye/ftp/" target="_blank" rel="noopener">the goftp library</a>, which is an FTP client package for Golang.</p>
<figure id="attachment_127215" aria-describedby="caption-attachment-127215" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127215" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-13.png" alt="Image 13 is a screenshot highlighting GoBruteforcer’s attempt at an FTP login as it tries to authenticate to the server. " width="900" height="606" /><figcaption id="caption-attachment-127215" class="wp-caption-text">Figure 13. FTP login attempt.</figcaption></figure>
<p>Upon successful authentication to the victim server, the malware calls the <span style="font-family: 'courier new', courier, monospace;">PostResult</span> module.</p>
<h4><a id="post-127183-_a9xhryoj86sx"></a>PostResult Module and Web Shell Connection</h4>
<p>Inside GoBruteforcer's <span style="font-family: 'courier new', courier, monospace;">PostResult</span> module, which is called after every service scanning module, we observed a hard coded link (query) as shown in Figure 14.</p>
<figure id="attachment_127217" aria-describedby="caption-attachment-127217" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127217" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-14.png" alt="Image 14 is a screenshot highlighting a hard-coded link in the GoBruteforcer binary. " width="900" height="114" /><figcaption id="caption-attachment-127217" class="wp-caption-text">Figure 14. Hard coded link found inside GoBruteforcer binary.</figcaption></figure>
<p>On further investigation into the directories within the victim IP address, we found a web shell named <span style="font-family: 'courier new', courier, monospace;">x</span>, (<span style="font-family: 'courier new', courier, monospace;">http[:]//victim-ip/x</span>) with SHA256 <span style="font-family: 'courier new', courier, monospace;">de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b</span>. This web shell seemed similar to the <span style="font-family: 'courier new', courier, monospace;">pst.php</span> PHP file (SHA256 <span style="font-family: 'courier new', courier, monospace;">602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665</span>) associated with <span style="font-family: 'courier new', courier, monospace;">http[:]//5.253.[.]84[.]159</span> (see Figure 15).</p>
<p>The PHP web shell had reverse shell and bind shell capabilities, as shown in Figure 15.</p>
<figure id="attachment_127219" aria-describedby="caption-attachment-127219" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127219" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-15.png" alt="Image 15 is a screenshot of the PHP webshell with “Bind Shell” and “Reverse Shell” highlighted. " width="900" height="247" /><figcaption id="caption-attachment-127219" class="wp-caption-text">Figure 15. Bind shell and reverse shell capabilities inside webshell.</figcaption></figure>
<p>Along with these capabilities, the web shell also has a <a href="https://en.wikipedia.org/wiki/Packet_crafting">packet crafter</a> (shown in Figure 16) having the options for input like host, start, end port and timeouts for connection and the stream. This gives the attacker the ability to gain more insight into the targeted network.</p>
<figure id="attachment_127221" aria-describedby="caption-attachment-127221" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127221" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-16.png" alt="Image 16 is a screenshot of the PHP webshell highlighting the Simple Packet Crafter along with options to the left. " width="900" height="303" /><figcaption id="caption-attachment-127221" class="wp-caption-text">Figure 16. Simple packet crafter capabilities inside web shell.</figcaption></figure>
<h2><a id="post-127183-_bggryhxlh5wi"></a><br />
GoBruteforcer Makes Advances</h2>
<p>During our hunt for the samples related to GoBruteforcer campaign, we found another sample (SHA256 <span style="font-family: 'courier new', courier, monospace;">acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834</span>). This is possibly an older version of the GoBruteforcer family that only targeted the phpMyAdmin service in order to infect web servers. The sample was uploaded on VirusTotal some months ago and had 0 detections, as shown in Figure 17.</p>
<figure id="attachment_127223" aria-describedby="caption-attachment-127223" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127223" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/03/word-image-127183-17.png" alt="Image 17 is a screenshot of VirusTotal showing an older version of GoBruteforcer that had no VT detections. " width="900" height="365" /><figcaption id="caption-attachment-127223" class="wp-caption-text">Figure 17. VirusTotal detection: older version of GoBruteforcer.</figcaption></figure>
<h2><a id="post-127183-_cdtc9j3kv7x3"></a>Conclusion</h2>
<p>Web servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization. Malware like GoBruteforcer takes advantage of weak (or default) passwords.</p>
<p>The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network. GoBruteforcer also seems to be in active development, so attackers could change the techniques they use to target web servers in the near future.</p>
<p>Palo Alto Networks customers receive protections from malware families like GoBruteforcer and its malicious components with <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr">Cortex XDR</a> or the <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall">Next-Generation Firewall</a> with <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions">cloud-delivered security services</a> including <a href="https://www.paloaltonetworks.com/network-security/wildfire">WildFire</a> and <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention">Advanced Threat Prevention</a>. Alongside this, <a href="https://www.paloaltonetworks.com/network-security/advanced-url-filtering">Advanced URL Filtering</a> and <a href="https://www.paloaltonetworks.com/network-security/dns-security">DNS Security</a> can block the command and control (C2) domain and malware hosting URLs.</p>
<h2><a id="post-127183-_ez9vec5q9zky"></a>Indicators of Compromise</h2>
<h3><a id="post-127183-_4a29o28gsv64"></a>Hashes</h3>
<table>
<tbody>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b </span></td>
<td><span style="font-weight: 400;">Web shell</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665</span></td>
<td><span style="font-weight: 400;">Web shell</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834 </span></td>
<td><span style="font-weight: 400;">Older version of GoBruteforcer</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218 </span></td>
<td><span style="font-weight: 400;">IRC bot(x86)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">726ccd223a1cfb60fc6c3b48ea3dbf057da918efac5acf620cd026ee38fb0044 </span></td>
<td><span style="font-weight: 400;">IRC bot(ARM)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">526767fbb26c911601371745d603885b75deabcc18261ed2d5a509d58f95d28e</span></td>
<td><span style="font-weight: 400;">GoBruteforcer (x86_64)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">dd3555025957cd51cd048d920027a0ff2d5501bc85792529217d54086e9351c2</span></td>
<td><span style="font-weight: 400;">GoBruteforcer (x86_64)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">df7dc0fe7e90a2414ac188c55d06ad3882cfc7394869c9ffa549fb1ddb304919</span></td>
<td><span style="font-weight: 400;">GoBruteforcer (x86_64)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84</span></td>
<td><span style="font-weight: 400;">GoBruteforcer (x86_64)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">5548935e7c6cf3b38240a0579cac36906e9883a1ec5e85335609e9e2062588c5</span></td>
<td><span style="font-weight: 400;">GoBruteforcer ARM(64-bit)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">5627b138bc857081d2251edd7eb3b68cbd58dfff2f51b7cd34c893fffff2cfab</span></td>
<td><span style="font-weight: 400;">GoBruteforcer ARM(64-bit)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">5c1d3fb43e9e35b835e62e05a7b97ed66ab132eab35bfc18ce543e8f58ccf5e2</span></td>
<td><span style="font-weight: 400;">GoBruteforcer ARM(32-bit)</span></td>
</tr>
<tr>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">7c27ac0daba19de227fcc467abfcdefa99426c768a3601b1b181e9741717665b</span></td>
<td><span style="font-weight: 400;">GoBruteforcer (x86)</span></td>
</tr>
</tbody>
</table>
<h3><a id="post-127183-_tvrhuk9xnsv4"></a>URL and IP</h3>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">5.253[.]84[.]159/x</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">fi[.]warmachine[.]su</span></li>
</ul>
<p><i><span style="font-weight: 400;">Updated March 14, 2023, at 6:20 a.m. PT to correct port numbers in Figure 1. </span></i></p>
          <div class="article__subscribe mb-40 text-gray-400 bg-gray-200 rounded-lg">
  <h4 class="h3 mb-10 text-black">Get updates from <br class="d-sm-none"> Palo Alto<br class="d-sm-none"> Networks!</h4>
  <p>Sign up to receive the latest news, cyber threat intelligence and research from us</p>
  <!-- <form action="https://app-guse4001.marketo.com/index.php/leadCapture/save2" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe"> -->
  <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe">
    <input type="hidden" name="emailFormMask" value="">
    <input type="hidden" value="1086" name="formid">
    <!-- <input type="hidden" value="818-CZC-273" name="munchkinId"> -->
    <input type="hidden" value="531-OCS-018" name="munchkinId">
    <input type="hidden" value="2141" name="lpId">
	<input type="hidden" value="1203" name="programId">  
    <input type="hidden" value="1086" name="formVid">
    <input type="hidden" name="mkto_optinunit42" value="true">
    <input type="hidden" name="mkto_opt-in" value="true">
    <div class="row">
      <div class="col-sm col-12 mb-sm-0 mb-15">
        <input type="email" name="Email" placeholder="Email address" class="subscribe-field d-block w-100 px-sm-25 px-15 bg-white" aria-label="Email">
        <p class="error-mail d-none mt-15 text-danger" style="color: #dc3545">Please enter your email address!</p>
      </div>
      <div class="col-sm-auto col-12">
          <input type="submit" value="Subscribe" class="btn btn--black btn--sm w-100" disabled="disabled">
      </div>
    </div>

    <div class="google-recapth mt-15">
      <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
      <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Please mark, I'm not a robot!</p>
    </div>
  </form>

  <div class="font-size-ex-sm col-sm-7 p-0">
    <p>By submitting this form, you agree to our <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a> and acknowledge our <a href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy Statement</a>.</p>
  </div>
</div>


        </div>
      </div>
    </div>
  </article>
<footer class="site-footer px-sm-0 px-15">
  <div class="pt-40">
    <div class="container pt-sm-30">
      <div class="row justify-content-lg-center">
        <div class="col-lg-11 col-12">
          <div class="row">
            <div class="col-lg-4 col-sm-3 col-12 order-sm-2">
              <nav class="footer-socials mb-sm-0 mb-25 text-white text-sm-right" aria-label="Footer Socials">
                                                <a href="https://twitter.com/Unit42_Intel" target="_blank" aria-label="Twitter"><span class="ui ui-4"></span></a>
                <a href="https://github.com/pan-unit42" target="_blank" aria-label="Github"><span class="ui ui-5"></span></a>
              </nav>
            </div>

            <div class="col-lg-8 col-sm-9 col-12 order-sm-1">
              <div class="row">
                <div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Popular Resources</h4><div class="menu-footer-company-phase-container"><ul id="menu-footer-company-phase" class="menu"><li id="menu-item-97096" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97096"><a target="_blank" href="https://www.paloaltonetworks.com/resources">Resource Center</a></li>
<li id="menu-item-97097" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97097"><a target="_blank" href="https://www.paloaltonetworks.com/blog/">Blog</a></li>
<li id="menu-item-97098" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97098"><a target="_blank" href="https://www.paloaltonetworks.com/communities">Communities</a></li>
<li id="menu-item-97099" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97099"><a target="_blank" href="https://docs.paloaltonetworks.com/">Tech Docs</a></li>
<li id="menu-item-97100" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-97100"><a href="https://unit42.paloaltonetworks.com/">Unit 42</a></li>
<li id="menu-item-97101" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97101"><a target="_blank" href="https://www.paloaltonetworks.com/sitemap">Sitemap</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Legal Notices</h4><div class="menu-footer-legal-notices-phase-container"><ul id="menu-footer-legal-notices-phase" class="menu"><li id="menu-item-97093" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97093"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy</a></li>
<li id="menu-item-97094" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97094"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a></li>
<li id="menu-item-97095" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97095"><a target="_blank" href="https://www.paloaltonetworks.com/legal">Documents</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Account</h4><div class="menu-footer-trending-topics-phase-container"><ul id="menu-footer-trending-topics-phase" class="menu"><li id="menu-item-97102" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97102"><a href="https://start.paloaltonetworks.com/preference-center">Manage Subscriptions</a></li>
<li id="menu-item-97103" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97103"><a href="#" aria-label="menu-item">&nbsp;</a></li>
<li id="menu-item-97104" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97104"><a href="https://www.paloaltonetworks.com/security-disclosure">Report a Vulnerability</a></li>
</ul></div></div>              </div>
            </div>
          </div>

          
            <div class="copyrights py-25 mt-40">
               <p>© 2023 Palo Alto Networks, Inc. All rights reserved.</p>
            </div>
          
        </div>
      </div>
    </div>
  </div>
</footer>
<form method="post">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="df9aedef0a" /><input type="hidden" name="_wp_http_referer" value="/gobruteforcer-golang-botnet/" /></form>
<script type="text/javascript">
    const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad'
      observer_lozad.observe();
        if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){
	var Coveo_organizationId = "paloaltonetworksintranet";        
        var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25";
        var languageFromPath="en_US";
        window.Granite = window.Granite || {};
	Granite.I18n = (function() {
		var self = {};
		self.setLocale = function(locale) { };
		self.get = function(text, snippets, note) {
        	var out = "";
        	if(text){
        		if(text ==="coveo.clear"){
        			out = "Clear";
        		}else if(text ==="coveo.noresultsfound"){
        			out = "No results found for this search term.";
        		}
        	}
        	return out;
        };
        return self
	}());
}
/*
    var Coveo_organizationId = "paloaltonetworksintranetsandbox1";
    var searchResultsPagePath = "https://www.paloaltonetworks.com/search/prismasearch";
    var techDocsPagePath = "https://docs.paloaltonetworks.com/search";
    var languageFromPath="en_US";
    */
       	var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js';
	var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js';
	var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js';
	var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js';
        window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html";

function loadScript(url, defer){
        var script1 = document.createElement('script');
        script1.setAttribute('type', 'text/javascript');
        script1.setAttribute('src',url);
        if(defer == true){
            script1.setAttribute('defer','defer');
        }
        document.head.appendChild(script1);
}
function loadScript1(url, callback){

        var script = document.createElement("script")
        script.type = "text/javascript";

        if (script.readyState){  //IE
            script.onreadystatechange = function(){
                if (script.readyState == "loaded" || script.readyState == "complete"){
                    script.onreadystatechange = null;
                    callback();
                }
            };
        } else {  //Others
            script.onload = function(){
                callback();
            };
        }

        script.src = url;
        document.getElementsByTagName("head")[0].appendChild(script);
}
if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){
	if(referer == "Unit"){
		loadScript(main_site_criticalTopBase, false);
		loadScript1(main_site_criticalTopProductNav, function(){
			window.PAN_initializeProduct2021Nav();
		});
		loadScript(main_site_defered, false);
	}
	else{
		loadScript1(main_site_critical_top, function(){
			window.PAN_initializeProduct2021Nav();
		});
		loadScript(main_site_defered, false);
	}
}
</script>
    <script type="text/javascript">
	var isProcessing = false; 
    function alter_ul_post_values(obj,post_id,ul_type){
	
		if (isProcessing)    
		return;  
		isProcessing = true;   
		var like_nonce = jQuery('#_wpnonce').val();
		jQuery(obj).find("span").html("..");
                jQuery.ajax({
                    type: "POST",
                    url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php",
                    data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce,
                    success: function(msg){
                            jQuery(obj).find("span").html(msg);
                            isProcessing = false; 
                            jQuery(obj).find('svg').children('path').attr('stroke','#0050FF');
                            jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner');
                    }
 		});
	}
	</script>
    <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='wpdevart_lightbox_effects-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/effects_lightbox.css?ver=6.1.1' type='text/css' media='all' />
<script type='text/javascript' id='ppress-frontend-script-js-extra'>
/* <![CDATA[ */
var pp_ajax_form = {"ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","confirm_delete":"Are you sure?","deleting_text":"Deleting...","deleting_error":"An error occurred. Please try again.","nonce":"5a64d338c7","disable_ajax_form":"false","is_checkout":"0","is_checkout_tax_enabled":"0"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/js/frontend.min.js?ver=4.4.1' id='ppress-frontend-script-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js' id='google/api-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/main.js' id='unit42/js-js'></script>
<script type='text/javascript' id='wpdevart_lightbox_front_end_js-js-extra'>
/* <![CDATA[ */
var wpdevart_lb_variables = {"eneble_lightbox_content":"enable","overlay_transparency_prancent":"80","enable_video_popuping":"enable","popup_background_color":"#000000","popup_loading_image":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/popup_loading.png","popup_initial_width":"350","popup_initial_height":"300","popup_youtube_width":"640","popup_youtube_height":"410","popup_vimeo_width":"500","popup_vimeo_height":"410","popup_max_width":"5000","popup_max_height":"5000","popup_position":"5","popup_fixed_position":"true","popup_outside_margin":"0","popup_border_width":"2","popup_border_color":"#000000","popup_border_radius":"10","control_buttons_show":"true","control_buttons_show_in_content":"false","control_buttons_height":"30","control_buttons_line_bg_color":"#000000","control_button_prev_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev.png","control_button_prev_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev_hover.png","control_button_next_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next.png","control_button_next_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next_hover.png","control_button_download_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download.png","control_button_download_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download_hover.png","control_button_innewwindow_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow.png","control_button_innewwindow_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow_hover.png","control_button_fullwidth_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth.png","control_button_fullwidht_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth_hover.png","control_button_fullwidthrest_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset.png","control_button_fullwidhtrest_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset_hover.png","control_button_close_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close.png","control_button_close_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close_hover.png","information_panel_show":"false","information_panel_padding_top":"0","information_panel_padding_bottom":"0","information_panel_show_in_content":"false","information_panel_bg_color":"#000000","information_panel_default_transparency":"100","information_panel_hover_trancparency":"100","information_panel_count_image_after_text":"Image","information_panel_count_image_middle_text":"of","information_panel_count_padding_left":"15","information_panel_count_padding_right":"4","information_panel_count_font_size":"20","information_panel_desc_padding_left":"15","information_panel_desc_padding_right":"4","information_panel_desc_font_size":"20","information_panel_desc_show_if_not":"true","information_panel_text_for_no_caption":"No Caption","information_panel_title_padding_left":"5","information_panel_title_padding_right":"5","information_panel_title_font_size":"15","information_panel_title_show_if_not":"true","information_panel_text_for_no_title":"No Title","information_panel_ordering":"{\"count\":[1,\"count\"],\"title\":[0,\"title\"],\"caption\":[0,\"caption\"]}"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/javascript/wpdevart_lightbox_front.js?ver=1.0' id='wpdevart_lightbox_front_end_js-js'></script>
          
  </body>
</html>
